Ron, the CEO at a successful biotech firm, was preparing to head to a meeting with top investors, when he got a frantic call from his CFO. “Instead of paying us, one of our clients just sent their $48,000 payment to an unfamiliar bank account. And here’s the best part–they claim that YOU sent them an email requesting payments be sent to that account!”
Ron was mystified. Neither he nor the CFO could explain the payment details change. A feeling of panic overwhelmed Ron, as he realized the truth: he was the victim of a $48,000 cybercrime.
The Attack: Brute Force & Financial Fraud
Oliver is a black hat hacker who dreams of being a millionaire. Like most people, he goes into work every day at an office. But his office is in a dark basement which is full of servers, monitors, blinking lights, tangled wires, and hacking gadgets like the Flipper Zero, USB Rubber Ducky, and WiFi Coconut.
After doing his research, Oliver has decided to target the biotech industry. He knows that biotech firms engage in high value financial transactions on a daily basis. His goal is to compromise the accounts of major executives, impersonate them, and then steal money from the company by rerouting client funds to his own accounts.
Every day, Oliver uses a combination of free open source tools, and tools he bought on the darkweb, as he attempts to pull off a digital heist that will make him rich. First, he uses a freely available and legal web scraping tool to collect the email addresses of biotech executives. Then, he uses a program obtained from the darkweb, in order to mount a brute-force attack on the executives’ email accounts.
Recently, Oliver lucked out, and managed to crack the password to log into Ron’s email account. Once he accessed the account, he impersonated Ron, and sent out a forged ACH letter to Ron’s clients, asking them to update their payment information. The new payment information pointed to Oliver’s bank account, ensuring that instead of paying the biotech company, clients would actually send their money to Oliver instead!
Protecting Your Accounts: Multi-Factor Authentication
The important lesson to be learned from Ron’s story is that while passwords do offer some level of security, a password alone does not provide strong protection for your account.
Passwords are forms of “authentication”–methods of letting a digital system know that a person is who they claim to be. The problem with using only passwords for authentication is that they are frequently compromised. Security breaches in large applications and platforms mean that your passwords may be compromised without your knowledge. Even worse, if you share passwords between applications, then an attacker might also be able to access other online accounts.
But even if your password is secret, many systems are vulnerable to “brute force password attacks.” In brute force password attacks, attackers use programs to try and guess passwords; sometimes, hackers code these programs themselves, but they are also available for sale on the darkweb. These attacks can succeed, because there is always a tiny chance that a program could guess your password randomly; the stronger your password is, the lower the chance that will happen. Thus, although strong passwords with many random characters offer more protection than weak passwords, no password is totally secure from a brute force attack.
Because passwords alone offer insufficient protection of digital systems, today’s applications offer “Multi-Factor Authentication”; when authentication involves two discrete steps, Multi-Factor Authentication is sometimes called “2-Factor Authentication”, or “2-Step Verification.” Typically, Multi-Factor Authentication uses One-Time Passwords, which are 4 to 8 character codes that are typically texted via SMS, emailed, or presented by an authenticator app. This means that an attacker who has your main password still cannot get into your account, because they will not have access to your One-Time Password.
A simple analogy can help explain why Multi-Factor Authentication is so important for maintaining security. Imagine that the account you are trying to secure is like an apartment inside an apartment building. Your main password is like the lock on the front door–most of the time, the lock keeps strangers out, but once in a while someone will sneak into the building.
If a thief gets inside your building, only a lock on your apartment door will prevent them from just walking into your apartment and taking your stuff. Using Multi-Factor Authentication is like having a lock on your apartment door. It provides a second line of defense and provides a much greater level of security than relying on a password alone. It ensures that if someone “sneaks in the front door” by stealing your password, they still cannot get into your account and impersonate you.
Setting Up Multi-Factor Authentication
The first step in setting up Multi-Factor Authentication is to make a list of all the accounts you use that need to be secured. Then you need to login to each account, and check under the security settings, to look for an option to enable “Multi-Factor Authentication,” “2-Factor Authentication,” or “2-Step Verification.”
For example, if you use Google, head to your account dashboard, click on “Security > 2-Step Verification,” and then follow the directions given. After that, when login attempts occur from unknown devices, Google will require either a response to a mobile SMS, or use of a One-Time Password, before a user can access your account.
When you have several digital accounts you need to secure, consider using an Authenticator app. Authenticator apps can be connected with your digital accounts, which allows them to generate time based One-Time Passwords directly when you access secured accounts. If you use a password manager like 1Password or Bitwarden, you can use the built in One-Time Password features that these managers provide. Otherwise, you can try a free app like Authy, Google Authenticator, or Microsoft Authenticator.
Keeping Digital Accounts Secure
Along with using Password Managers, ensuring that all your digital accounts use Multi-Factor is an essential step in preventing cyber crime. If you need help standardizing multi factor authentication across your organization, contact us to schedule a cyberscurity assessment.